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401 


THE CREATE ENCRYPTION KEY QUERY IS RECEIVED BY THE 
DATABASE SYSTEM. 
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402 


THE SYSTEM'S PARSER CONVERTS THE ABOVE SQL 
STATEMENT INTO A QUERY TREE HAVING THE KEYNAME, 
KEYSIZE, PASSWORD, INITIALIZIATION VECTOR, AND PAD. THE 
PARSER DOES SOME SYNTAX ERROR CHECKING. 
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403 


AFTER PASSING THROUGH THE NORMALIZER AND COMPILER 
UNTOUCHED, THE QUERY TREE CREATED ABOVE ARRIVES AT 
THE EXECUTION UNIT FOR PROCESSING. 








404 


PERMISSION FOR EXECUTING CREATE ENCRYPTION KEY IS 

CHECKED. 
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405 


THE KEY MANAGEMENT FACILITY GENERATES A UNIQUE 
DATABASE OBJECT ID FOR THE ENCRYPTION KEY. 








406 


IF NO USER PASSWORD IS SPECIFIED, THE KEY MANAGEMENT 

FACILITY GETS THE SYSTEM PASSWORD (FROM 
SYSATTRIBUTES SYSTEM TABLE) AND DECRYPTS THE SYSTEM 
DEFAULT PASSWORD (BY CALLING THE ENCRYPTION MODULE). 











CONTINUE TO 
FIG. 4B 
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FIG 


4A 
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THE KEY MANAGEMENT FACILITY MAY NOW BUILD A KEY 
ENCRYPTION KEY FROM A DIGEST OF USER/SYSTEM 
PASSWORD AND INTERNAL STATIC DATA. 






THE KEY MANAGEMENT FACILITY CALLS THE ENCRYPTION 
MODULE TO CREATE A RANDOM SYMMETRIC KEY FOR 
KEYNAME. 






THE COLUMN ENCRYPTION KEY IS ENCRYPTED USING THE KEY 

ENCRYPTION KEY. 
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THE KEY MANAGEMENT FACILITY SAVES THE ENCRYPTED KEY, 
ITS OBJECT ID, ALGORITHM, KEYLENGTH, AND STATUS BITS (IN 

SYSENCRYPTKEYS SYSTEM TABLE). 




r 


SIMILARLY, THE KEYNAME, OBJECT ID, CREATION DATE AND 

USER ID (UID) ARE STORED (IN SYSOBJECTS SYSTEM TABLE). 
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500 



UPON RECEIVING A CREATE TABLE SQL STATEMENT, THE 
SYSTEM'S PARSER DETECTS THE ENCRYPT KEYWORD AND 
OPTIONAL KEYNAME ON THE STATEMENT AND SAVES THIS 
INFORMATION IN THE PARSE TREE CONSTRUCTED FOR THE 

STATEMENT. 
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502a 



THE UTILITY LOOKS UP THE KEY INFORMATION (SIZE, 
ENCRYPTION ATTRIBUTES) IN SYSENCRYPTKEYS (SYSTEM 
TABLE) FOR THE DATABASE DEFAULT KEY OR THE NAMED KEY. 



502b 



THE UTILITY RECORDS ADDITIONAL SCHEMA DESCRIPTIONS IN 
SYSCOLUMNS (SYSTEM TABLE) TO REFLECT THE ENCRYPTION 

PROPERTIES OF THE COLUMN, E.G., INTERNAL TYPE 
(VARBINARY) AND A LENGTH THAT WILL ACCOMMODATE THE 
ENCRYPTED VALUE AND THE OPTIONAL INITIALIZATION 
VECTOR. THE UTILITY ALSO RECORDS IN SYSCOLUMNS A 
CROSS REFERENCE (OBJECT ID OF THE KEY) TO THE COLUMN'S 
ENCRYPTION KEY IN SYSENCRYPTKEYS. 
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DONE 
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THE PARSER RECEIVES AN IN 
USER AND CREATES Al 


SERT STATEMENT FROM THE 
INSERT QUERY TREE. 






THE NORMALIZER WALKS THE QUERY TREE AND USES 
SYSCOLUMNS TO SET UP BITS FOR THE VALUES FOR THE 
COLUMNS WHICH ARE ENCRYPTED. ENCRYPTED COLUMNS 
ARE NORMALIZED USING THEIR EXTERNAL TYPES. 






THE NORMALIZER TRAVERSES THE TREE, LOOKING FOR THE 
ENCRYPTION BIT AND GETS THE KEYID AND KEYDBID FOR THE 
COLUMN FROM SYSCOLUMNS. FOR ENCRYPTED COLUMNS, 
THE NORMALIZER ADDS AN ENCRYPT BUILT-IN NODE ABOVE 

THE VALUE. 






A TREE-BASED STRUCTURE IS FILLED WITH KEY INFORMATION 
FROM SYSENCRYPTKEYS. THIS INTERNAL STRUCTURE IS USED 
LATER FOR COMPILATION OF THE QUERY EXECUTION PLAN. 
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CONTINUE TO 
FIG. 6B 
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FIG. 6A 
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CONTINUE FROM 



FIG 
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THE MODULE COMPILES THE ENCRYPT BUILT-IN FUNCTIONS 
INTO E COLENCRYPT RUN-TIME INSTRUCTIONS AND PUSHES 
THE ARGUMENTS (DATABASE ID, ENCRYPTION KEY ID, DATA) 
ONTO THE EXPRESSION STACK. 






THE KEY INFORMATION IS COPIED FROM THE TREE TO THE 

PLAN. 
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CONTINUE TO 
FIG. 6C 



FIG. 6B 
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CONTINUE FROM 
FIG. 6B 
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FOR EACH SYMMETRIC KEY REQUIRED FOR THE ENCRYPTION 
OPERATION AT RUN TIME, THE UNIT DECRYPTS THE KEY USING 
A KEY DERIVED FROM THE SYSTEM/USER PASSWORD AS 
DESCRIBED ABOVE IN THE DETAILS ON THE CREATE 
ENCRYPTION KEY. THE DECRYPTED KEY IS CACHED IN THE IN- 
MEMORY EXECUTION PLAN. 



FOR EACH ROW OF DATA, THE UNIT INVOKES THE ENCRYPTION 
MODULE TO EXECUTE THE E_COLENCRYPT INSTRUCTION ON 
EACH ENCRYPTED COLUMN WRITTEN TO THE DATABASE. 
ENCRYPTION IS DONE USING THE ASSOCIATED KEY VALUE 
CACHED IN THE PLAN AND ACCORDING TO PROPERTIES 
DEFINED BY CREATE ENCRYPTION KEY (SUCH AS USE OF 
INITIALIZATION VECTOR OR RANDOM PADDING). 



622 



5 
O 

o 



1 


r 


AT THE END OF PROCESSING 
THE ENCRYPTION KE> 


ALL ROWS, THE UNIT ERASES 
' VALUES IN MEMORY. 
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DONE 
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FIG. 6C 



Page 80 of 83 



Docket No. SYB/01 10.01 



PTO Cust. No. 31779 



Sheet 11/13 



c 



BEGIN 



) 



1 


r 


THE PARSER RECEIVES A SELECT STATEMENT FROM THE USER 
AND CREATES A SELECT QUERY TREE. 






THE NORMALIZER WALKS THE SELECT QUERY TREE AND SETS 

UP BITS FOR THE COLUMNS WHICH ARE ENCRYPTED. 
ENCRYPTED COLUMNS ARE NORMALIZED USING THEIR 
EXTERNAL TYPES. 




r 


THE TREE MAY NOW BE TRAVERSED TO LOOK FOR THE 
ENCRYPTION BIT, AS WELL AS GETTING THE KEYID AND 
KEYDBID FOR THE COLUMN FROM THE SYSCOLUMNS SYSTEM 

TABLE. 
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704 



FOR ENCRYPTED COLUMNS, THE DECRYPT BUILT-IN FUNCTION 
IS ADDED ABOVE THE COLUMN NODE SO THAT DECRYPTED 
DATA WILL BE RETURNED TO THE APPLICATION OR 
PARTICIPATE IN ANY QUERY EXPRESSION. 



o 

2 



^ 705 

1 i 

A TREE-BASED STRUCTURE MAY NOW BE FILLED WITH KEY 
INFORMATION FROM SYSENCRYPTKEYS. THIS INTERNAL 

STRUCTURE IS USED LATER FOR COMPILATION OF THE PLAN. 



706 



FINALLY, THE NORMALIZER REGISTERS PERMISSION CHECKS 
FOR ENCRYPTED COLUMNS TO BE PERFORMED AT EXECUTION 

TIME. 



CONTINUE TO 
FIG. 7B 



FIG. 7 A 
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CONTINUE FROM 
FIG. 7A 
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THE MODULE COMPILES THE INTERNAL ENCRYPT BUILT-IN 
FUNCTIONS INTO E_COLDECRYPT RUNTIME INSTRUCTIONS AND 
PUSHES THE ARGUMENTS (DATABASE ID, ENCRYPTION KEY ID, 
DATA) ONTO THE EXPRESSION STACK. 



1 




THE KEY INFORMATION IS COPIED FROM THE TREE TO THE 

PLAN. 
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CONTINUE TO 
FIG. 7C 



FIG. 7B 
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CONTINUE FROM 
FIG. 7B 



721 



THE UNIT PERFORMS DECRYPT PERMISSION CHECKING ON ALL 
ENCRYPTED COLUMNS. 






BEFORE PROCESSING ROWS, FOR EACH SYMMETRIC KEY 

REQUIRED FOR THE DECRYPTION OPERATION AT RUN TIME, 
THE UNIT DECRYPTS THE KEY USING A STATIC KEY DERIVED 
FROM THE SYSTEM/USER PASSWORD AS DESCRIBED ABOVE 
UNDER SP ENCRYPTION. THE DECRYPTED KEY IS CACHED IN 
THE EXECUTION PLAN. 






FOR EACH ROW OF DATA, THE UNIT INVOKES THE ENCRYPTION 
MODULE TO EXECUTE THE E COLDECRYPT INSTRUCTION ON 
EACH ENCRYPTED COLUMN READ FROM THE DATABASE. 
DECRYPTION IS DONE USING THE ASSOCIATED KEY VALUE 
CACHED IN THE PLAN AND ACCORDING TO PROPERTIES 
DEFINED BY CREATE ENCRYPTION KEY (SUCH AS USE OF 
INITIALIZATION VECTOR OR RANDOM PADDING). 
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AT THE END OF PROCESSING ALL ROWS, THE ENCRYPTION KEY 
VALUES IN MEMORY MAY BE ERASED. 
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DONE 
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